A number of Unix/Linux tools, e.g. Subversion (svn) and wget, use OpenSSL when they access HTTPS sites. While I found updating the trusted CA store in curl (which does not use OpenSSL) very easy (I just downloaded their weekly CA bundle), OpenSSL isn’t as self-explaining. You may need this with older Linux distributions like openSUSE 10.3 running on “old” webservers, e.g. when you use svn to track changes of a web-application and keep the repository on encrypted webspace (highly recommended!) and the CA is not trusted in your distribution’s OpenSSL package. I use StartSSL Free Class 1 certificates for some of my private servers and their CA certificate is not included in many older distributions.

First you need to determine where OpenSSL keeps its files on your system. With the aforementioned openSUSE 10.3 this is

cd /etc/ssl/certs

Download your CA’s root certificate

wget http://www.startssl.com/certs/ca.pem -O startssl.pem

Determine the certificate’s hash

openssl x509 -noout -hash -in startssl.pem

For StartSSL this is “33815e15″. Now create a symlink to the certificate file with the hash as the filename and with the filename extension “.0″

Links

This blog is about Information Technology (technical) issues, tips and tricks I find worth sharing with the world. It’s also the home base for all of my open source projects. If you want to support me financially, please go to the Donations page. For moral support please leave a comment, or follow me on Twitter or Facebook: